Executive Summary: Every firewall product you examine should have an easy-to-use management console, provide basic perimeter defenses, accept TCP and UDP port blocking, support stateful inspection packet filtering, and be easily upgradable both by swapping out existing hardware and replacing existing software.

In a world filled with a menagerie of security threats—viruses, malware, phishing attempts, and outright hacking by cyber criminals—giving your IT infrastructure a solid security foundation is a must. An integral part of any network security strategy is the firewall appliance, an infrastructure component that can limit external access to your corporate network to only trusted users and organizations. Firewalls are available in both hardware and software varieties; in this buyer’s guide I take a look at hardware firewall appliances priced at less than $15,000. Many advanced/deluxe firewall features are available by subscription only, so be sure to calculate the total cost of the firewall solution in addition to the cost of the base appliance.

Features Every Firewall Appliance Should Have

When you’re shopping for a firewall appliance, you should start with the basics: Every product you examine should have an easy-to-use management console, provide basic perimeter defenses, accept TCP and UDP port blocking, support stateful inspection packet filtering, and be easily upgradable, both by swapping out existing hardware and replacing existing software. Beyond these basic features, here are some other things to watch for.

Throughput. According to Tony Howlett, CTO of the security consulting firm Network Security Services, matching a firewall appliance with your network throughput needs is essential. “Will \[the firewall appliance\] handle your network load in and out? Is it sized to provide room for growth in the future?” questions Howlett. “Or, will you have to replace the hardware if your \[network-bandwidth needs\] grow significantly?” According to a September 2007 report by the Gartner Group on enterprise network firewalls, the average maximum throughput of the firewall vendors they surveyed was 2.5Gbps of network traffic, and the intrusion prevention system (IPS) load of those same products averaged about 945Mbps. Getting a firewall appliance that can accommodate your data-throughput needs is just as important as acquiring other product features.

Manageability. The ability to manage your appliance effectively and centrally is a key to any product purchase, including enterprise firewalls. Many firewall vendors are particular about how they license their appliances. “In larger companies \[with\] certified experts on staff, an enterprise firewall from a large vendor often makes the most sense,” says Howlett. “However, if you have a small IT staff with no specific expertise, you might want to consider one of the smaller \[firewall appliance vendors\] that use web interfaces and include some reporting software with their base units.” Howlett adds that larger organizations also need to consider how easily they can manage a chosen product when using it with multiple units of the same appliance or with other firewall appliances from different vendors.

Extensibility. Many firewall appliance vendors have added extra security features to their products, making them much more than simple firewalls. “Appliances are using names such as ‘unified threat management’ and ‘intrusion prevention system,’” says Howlett. “Some units let you add content filtering, email spam filtering, compliance monitoring, and more, all on the same box. However, if your network is large, having separate appliances might give you more flexibility in picking specific features and vendors.” Many firewalls now provide VPN capabilities.

Don’t Forget the Basics

Maintaining network security is one of the most important responsibilities of any IT professional, and it’s vital that the products you choose have some important (albeit basic) features. “The ability to perform packet-, circuit-, and application-level filtering is especially important,” says Windows IT Pro Technical Director Michael Otey. “This is especially important with the increasing use of web services and XML. The ability to perform caching is also another significant consideration.”

Things to Avoid

In addition to looking for features your appliance should have, Howlett suggests that IT pros do their best to avoid making mistakes such as the following:

• Buying a firewall with an inadequate number of features or features that don’t meet your needs. “You don’t want to find out a few months or a year later that you have to upgrade,” says Howlett.
• Buying a device that is too complicated or requires an inordinate amount of training and support costs.
• Buying into the “buzzword” mentality rather than investigating what the product actually does. Do you really need the very latest hardware with the catchy brand and feature names?
• Buying features you will never use.

“Make sure that you have the in-house or contract expertise to properly configure and maintain your firewall,” says Howlett. “A badly configured firewall is nearly as bad as no firewall at all.”

The world of network security is filled with cautionary tales of enterprise firewall installations gone bad. Howlett has come across firewalls that haven’t been updated or monitored for months (if not years), leaving critical vulnerabilities that the vendor patched and updated long ago. Some administrators never think to check their firewall vendor for firmware updates, a task that Howlett sees as vital. “You should treat \[your firewall appliance\] like any other OS, perhaps even more so because it guards the entrance to your network,” says Howlett. “Be sure to regularly review \[installed firewall appliances\] for required updates and maintenance.”

In the end, even the best product and a fault-free installation can’t protect your network from human error or basic carelessness. “One customer had his Windows domain server open via RDP login attempts to the whole world with a simple administrator password,” Howlett says. “It’s a miracle it was never breached. Then again, maybe it was and the customer just never knew it.”

See associated table